David Davis explains why the Cisco Self-Defending Network might be the right choice for your company.
If you're a cynical consumer, the Cisco Self-Defending Network (CSDN) solution probably begs the sarcastic question: "Yeah, right; the network that can just defend itself?" However, as Cisco typically makes quality products and solutions, I can't believe that the self-defending network concept is all bad; actually, it may even be the best solution on the market today.
Why look at security solutions in the first place?
Since every business today depends on the Internet and LAN networks for some business-critical function, the need for security is more important than ever. A company that does not have strong security can end up on the news as being hacked, their stock can plummet, and they can be out of business in no time. Once released, viruses and worms can hit businesses and consumers around the world in a matter of seconds or minutes.
However, you and your company don't have unlimited funds; you can't just put in every solution you discover. You have to weigh the level of investment in security with the level of risk that is perceived by your business. It's tough to decide how much to invest and what solutions to choose, but you must ensure that your network is reasonably secure.
What is the Self-Defending Network?
The CSDN is a large complex roadmap made up of many Cisco components. You aren't required to have all the components. CSDN does its job using all these different components. Examples of these components are Cisco NAC (admission control), Cisco Security Agent (endpoint protection), Cisco MARS (event correlation), Network Intrusion Detection System (NIDS), authentication servers, Anti-X systems like ASA and Ironport, network and host-based firewalls, and antivirus.
The theory of CSDN is that the network has the ability and the intelligence to protect itself from threats. However, this can only happen if the components of the network are working together to ensure this level of security, intelligence, and adaptability.
How do the components of the CSDN work together?In Figure A, you can see how the components of the CSDN are all over the network. Every link, piece of hardware, and operating system is somehow secured by the CSDN. By covering all the bases, CSDN attempts to thwart security issues wherever they crop up in the network. In addition, the attempt of the CSDN is to provide end-to-end visibility of the network's security events and status.
Graphic courtesy of Cisco.
Network devices must work together and be integrated in order for the CSDN to do its job. Therefore, you probably aren't going to have third-party network components on your network participate in the CSDN.
Besides hardware components, what else is involved in CDSN?
While you can buy all the network hardware components you like, software and services are also a huge part of CSDN. Just as with anything else, without the people (services), the hardware isn't going to implement itself. Once the CSDN is implemented and the servicemen are gone, the network will still need to be monitored and maintained.Cisco offers a lot of services revolving around the Self-Defending Network. Figure B illustrates these offerings:
Graphic courtesy of Cisco.
As you can see, Cisco offers services beginning with planning the network and moving through designing, implementing, and operating the network. Later, Cisco can come back and optimize the implemented security systems.
While this all sounds great, I would caution anyone evaluating a security solution to determine how much time and effort will be required to implement and maintain that solution. Undoubtedly, the long-term maintenance of any security system is far greater than the original price tag.
How are credentials fundamental for network security?
When it comes to the implementation of the CSDN, user and device credentials are very important. The user and device credentials are used to identify that device and to authenticate the user.In Figure C, you can see how the device identification is checked, then the operating system and application posture, and the user identity, based on username, password, and security certificate keys.
Graphic courtesy of Cisco.
As you can see, user and device credentials are critical to the success of CSDN.
Where are the security standards in CSDN?
There are a number of standards at work in the CSDN roadmap. One of the most crucial technologies related to the CSDN is Network Admission Control (NAC). NAC is used to review device security posture before admisson to the network. In many cases, this is done with 802.1X; however, that is only part of what NAC does and how it works.
The battle between Cisco's NAC and Microsoft's new Network Access Protection (NAP) is about to heat up. Fortunately for consumers, both companies have agreed that there will be some compatibilities and interoperability between these two technologies. In the end, there are many standards at work in creating this self-defending network.
What is the future of CSDN?
A complex framework, CDSN has a goal for all of their devices to communicate together, preventing any danger to the network. The theory is that the devices will collaborate, with one device telling another that it is in danger. In my mind, the thought of many different hardware and software network security devices all working together sounds almost too good to be true.
However, devices still don't easily integrate with other Cisco security devices, as they aren't easy to implement and are typically expensive. Even though the CSDN framework has been around for over six years, there's still a lot of work left to be done before networks can truly be self-defending.
David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users.
This SolutionBase article was originally published in December 2007.